|
Greetings once again,
TQN,
I was now able to manually use your technique to find the OEP. I also made
a couple of modifications to your script to get it to work properly.
Manually I followed it pretty much as you described.
Only extra step I encountered was after executing till return I had to step
out of the call to see the described JE test a few bytes above call.
Your script still did not work until I made the following mods:
Original script contents: (This section of code never resolved correctly.)
-----------------------
@@1:
rtr <----- RTR is buggy and does not break correctly.
mov addr, eip
sub addr, B <----- subtracting only 11 bytes places only offset in addr, therefore cmp for JE bytes below never is true.
mov opcode, [addr]
and opcode, FFFF
cmp opcode, 840F
je @@2
eob @@1
run
Changing the script to this seemed to work perfectly.
---------------------------------------------------
@@1:
rtu
mov addr, eip
sub addr, D
mov opcode, [addr]
and opcode, FFFF
cmp opcode, 840F
je @@2
eob @@1
run
Attached is the revised script that worked on all my test applications.
With one App I tested, PEiD did not find the correct OEP but the script worked.
Turns out it was a problem with it being a console app and an invalid PE header, even though it ran fine.
-bg
Last edited by bgrimm; 05-23-2004 at 08:33.
|